In [None]:
Network Connectivity Checks

# Outbound connectivity tests
curl -k -v https://domain.com:8088
curl -k -v https://<splunk_hec_hostname_or_ip>:8088
nc -zv <ipaddress> <port>          # Outbound test to specific IP and port

🔧 Network and Connectivity Checks

netstat -tuln
sudo netstat -tuln | grep 9997
telnet 10.180.74.35 9997
telnet 10.180.74.35 10514
telnet 10.180.74.35 8089
ping 10.180.74.35
sudo firewall-cmd --state
sudo firewall-cmd --zone=public --add-port=514/udp --permanent

# Syslog dump
tcpdump -i any port 514
tcpdump -i any port 10514

# Inbound connectivity checks

ss -tuln | grep 8088              # Check if port 8088 is listening
ss -tn state established '( sport = :8088 )'  # Active inbound connections

# HEC Event Submission

Test the data

curl -k https://179.66.0.66:8088/services/collector/event \
  -H "Authorization: Splunk a8ce1365-b45d-4969-97eb-ec484b5df603" \
  -H "Content-Type: application/json" \
  -d '{"event": "test event", "sourcetype": "BS_HTTP_cloudflare:json", "index": "lll_cloudflare"}'

curl http://<ip>:8088/services/collector/raw \
  -H "Authorization: Splunk 0531df9ec-36ce-4dc2-8849-75f00fd5f8d8" \
  -d '{"event": "Hello World"}'
  
Splunk Service Control

./splunk start
./splunk stop
./splunk restart
./splunk start --accept-license --answer-yes

🗑️ Deleting Old Offline Files

find /opt/splunk/var/lib/splunk_offline -type f -mtime +365 -exec rm -v {} \;

🔍 btool Debugging

./splunk btool inputs list --debug
./splunk btool outputs list --debug
./splunk btool props list --debug
./splunk btool transforms list --debug
./splunk btool indexes list --debug
./splunk btool inputs list --debug | grep -i "jamf_pro"
/opt/splunk/bin/splunk btool inputs list --debug | grep -i local
/opt/splunk/bin/splunk btool outputs list --debug | grep -i local
/opt/splunk/bin/splunk btool props list --debug | grep -i local
    
./splunk btool inputs list --debug | grep local
./splunk btool 514 list --debug | grep local
./splunk btool master_uri list --debug
./splunk btool 8089 list --debug
./splunk btool 10.240.1.2 list --debug | grep local
./splunk btool limits list --debug | grep -i "maxkbps"


##🔐 SSL Certificate Check

/opt/splunk/bin/splunk cmd openssl x509 -enddate -noout -in /opt/splunk/etc/auth/server.pem

📦 Index & Storage Health


du -sh $SPLUNK_DB/*
df -h


##🧼 Disk & Dispatch Cleanup

df -h /opt/splunk/var/run/splunk/dispatch
find . -maxdepth 1 -type d -name 'dispatch_*' -mtime +2 -print
du -sh /opt/splunk/var/run/splunk/dispatch/*
du -ahx / | sort -rh | head -30

##🧼 SPLUNK CLEANUP & PROCESS KILL


pkill -u splunksvc -f python3.7
free -m


##🧹 HOUSEKEEPING & GENERAL OPS

du -sh *
du -sh * | sort -hr
df -h
ls -ltr | grep "o365"
ls -ltr | grep HOSTNAME*
ls -ltr | grep master_uri
ls -ltr | grep "master_uri"
ls -ltr | grep "uri"
ls -ltr | grep "8089"


##👥 SHC/Cluster Maintenance

./splunk show shcluster-status --verbose
./splunk show kvstore-status --verbose
./splunk show servername
./splunk show default-hostname

# Clean raft manually
./splunk clean raft

# Elect captain manually
./splunk bootstrap shcluster-captain -servers_list "https://hostname:8089


📁 Example Inputs.conf HEC Config


[http://jamf:protect:alerts]
disabled = 0
host = 
index = 
outputgroup = default-autolb-group
token = 
useACK = 0
indexes = 
description = Jamf protect telemetry
source = jamf:protect:telemetry

[http]
disabled = 0
port = 8088
useACK = 0

[http://Token:HEC TOKEN]
disabled = 0
token = HEC token
index = 
sourcetype = jamf:protect:telemetry
description = Jamf Protect Telemetry


🪵 Log File Analysis


grep -i 'error' /opt/splunk/var/log/splunk/splunkd.log
grep -i 'warn' /opt/splunk/var/log/splunk/splunkd.log

# Real-time log monitoring
tail -f /opt/splunk/var/log/splunk/splunkd.log
tail -f /opt/splunk/var/log/splunk/metrics.log
tail -f /opt/splunk/var/log/splunk/web_service.log

📜 Log Monitoring

tail -f /opt/splunk/var/log/splunk/splunkd.log
tail -f /opt/splunk/var/log/splunk/splunkd.log | grep "ERROR"
tail -n 100 /opt/splunk/var/log/splunk/splunkd.log | grep -i "ERROR"
tail -n 100 /opt/splunk/var/log/splunk/metrics.log | grep -i "blocked=true"

📥 Data Input Troubleshooting


grep 'TcpInputProc' /opt/splunk/var/log/splunk/splunkd.log
tail -f /opt/splunk/var/log/splunk/metrics.log | grep 'group=per_index_thruput'


##📦 Splunk Backup (Manual)

tar -czvf splunk_backup_10.18.0.265.tar.gz /opt/splunk/etc
cp -rv splunk_backup_10.18.0.255.tar.gz /tmp
chmod 777 /tmp/splunk_backup_10.180.0.245.tar.gz
rm -rf /tmp/splunk_backup_10.18.0.295.tar.gz

🔄 Forwarding & Deployment Monitoring

/opt/splunk/bin/splunk list forward-server
/opt/splunk/bin/splunk btool outputs list --debug | grep -i local



🔐 Permissions & Ownership Issues

ls -l /opt/splunk/etc/apps/
ls -l $SPLUNK_DB
chown -R splunk:splunk $SPLUNK_HOME

➡️ Forwarder Troubleshooting

netstat -an | grep 9997
ss -plnt | grep 9997
/opt/splunk/bin/splunk btool outputs list --debug
tail -f /opt/splunk/var/log/splunk/splunkd.log


⚙️ Performance Debugging


top
htop
vmstat 1
ps -ef | grep splunk
ps -eo pid,user,comm,%cpu --sort=-%cpu | head -n 5


🪙 License Issues

grep -i license /opt/splunk/var/log/splunk/splunkd.log

🌐 Splunk Web UI Troubleshooting
ss -plnt | grep 8000
tail -f /opt/splunk/var/log/splunk/web_service.log

🗄️ Example indexes.conf config


[lll_cloudproxy_fp]
homePath = volume:hotwarmdata/llg_cloudproxy_fp/db
coldPath = volume:colddata/llg_cloudproxy_fp/colddb
thawedPath = /opt/splunk/var/lib/splunk_online/abc_cloudproxy_fp/thaweddb
coldToFrozenDir = /opt/splunk/var/lib/splunk_offline/abc_cloudproxy_fp/frozendb
enableDataIntegrityControl = true


🌐 HEC via Public IP & NAT


# External sources like Jamf or Cloudflare send to public IP.
# Firewall translates public IP:8088 → internal IP:8088 using NAT.
# Ensure firewall allows inbound traffic on port 8088.

🧪 Additional Commands


curl -k -v https://api.cloudflare.com:8088
grep -i ldap /opt/splunk/var/log/splunk/splunkd.log






## Basic Navigation

cd /opt/splunk
cd /opt/splunksvc
cd /opt/splunk/bin
cd /opt/splunk/etc
cd /opt/splunk/var/log/splunk/
cd /opt/splunk/var/run/splunk/dispatch/
cd /tmp
cd ~
pwd
ll
ls -altrh
df -h
uptime
ps -ef | grep splunk

📋 Configuration File Checks

cat /opt/splunk/etc/system/local/inputs.conf
cat /opt/splunk/etc/system/local/server.conf
cat /opt/splunk/etc/apps/OM_all_deploymentclient/local/inputs.conf
cat /opt/splunk/etc/apps/OM_splunk_forwarder_outputs/local/outputs.conf
cat /opt/splunk/etc/apps/Splunk_TA_nix_oci/local/inputs.conf
cat /opt/splunk/etc/apps/Splunk_TA_nix_oci_orace_parsing/local/props.conf
cat /opt/splunk/etc/system/default/outputs.conf

 SPLUNK APP DEPLOYMENT & FILE OPERATIONS

cp -R Splunk_TA_microsoft-cloudservices OM_Parsing_Kubernetesss
cp -rf /opt/splunk/etc /usr/confbkp
chmod +x /opt/splunk/etc/deployment-apps/Splunk_TA_nix_azure/bin/.sh
chmod +x /opt/splunk/etc/apps/Splunk_TA_nix_azure/bin/.sh

🔍 SPLUNK LOG GREP CHECKS

grep -i "azure" /opt/splunk/var/log/splunk/splunkd.log
grep -i "azure" /opt/splunk/var/log/splunk/splunkd.log | head -n 10
cat mongod.log | grep "ssl"
cat mongod.log | grep "expired"
tail -n 50 /opt/splunk/var/log/splunk/mongod.log


🧪 Other Useful Checks 

splunk check-integrity
/opt/splunk/bin/splunk check-integrity


## SPLUNK CONFIG FILE PATHS (KEY LOCATIONS)
🔸 Lhh_Parsing_Kubernetes (props.conf)

[mscs:storage:blob]
SEDCMD-apiserver = s/\"(?!log\"|pod\"|containerID\"|resourceId\")[^"]+\":\s*\"[^\"]+\",\s*//g

🔸 OM_splunk_forwarder_outputs (outputs.conf)

[tcpout:primary_indexers]
defaultGroup = primary_indexers
forwardedindex.filter.disable = true
indexAndForward = false
maxQueueSize = 7MB
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
server = INDEXER1:9997,INDEXER2:9997,INDEXER3:9997,INDEXER4:9997

🔸 OM_splunk_forwarder_outputs/local (limits.conf)

[thruput]
maxKBps = 0

🔸 OM_all_deploymentclient/local (deploymentclient.conf)

[deployment-client]
phoneHomeIntervalInSecs = 600

[target-broker:deploymentServer]
targetUri = 10.224.122.21:8089

🔸 OM_full_license_server/local (server.conf)

[license]
master_uri = https://LICENSEMASTER[:]8089

🔸 OM_web_ssl_forUI/local (web.conf)

[settings]
enableSplunkWebSSL = 1
#privKeyPath = /opt/splunk/etc/auth/OMG_certs/OmgSplunkWebPrivatekey.key
#serverCert = /opt/splunk/etc/auth/OMG_certs/Omghf1finalcert.pem

🔸 system/local/server.conf

[general]
serverName = HOSTNAME
pass4SymmKey = $7$5RR1CUcx4OvZj6ETKJCln8870wHImBnPWr1+G43r1uvT8iK/fAmXmw==

[sslConfig]
sslPassword = $7$6IztyZbNT5g5Z/ZsLkav8888wINwp/b1F62w+Tx+PBPMaNVazr+yWhQ==

[OOmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
quota = MAX
slaves = *
stack_id = download-trial

[OOmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder

[OOpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free

[kvstore]

🔸 UDP Input

[udp://10514]
disabled = false
sourcetype = syslog
index = om=pg_unix_syslog_azure


